CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Measuring the True Impact of a Cyberattack

Finally, some realistic numbers help to quantify the effects of a large-scale cyberattack and give business leaders an irrefutable sense of what’s at stake.

High-profile cyberattacks have garnered much public and regulatory scrutiny in recent years, but the resulting attention has tended to distort many business leaders’ views of the true costs associated with these crises. While credible studies have calculated the per-record cost of a data breach, the larger business impacts—not just of breaches, but of other attacks with different aims—can reverberate far longer, and in more ways, than many leaders expect. Indeed, the full range of repercussions, which includes intangible effects such as brand damage or loss of intellectual property (IP), has been much harder to tally. Until now.

New research conducted jointly by Deloitte Advisory’s Cyber Risk Services, Forensics & Investigations, and Valuation teams provides a model for quantifying the myriad costs an organization typically incurs following a cyberattack. “Beneath the surface of a cyberattack: A deeper look at business impacts” describes 14 effects of a cyberincident, including direct costs like regulatory fines and public relations fees and intangible costs associated with lost customer relationships, reputation damage, and business disruption. Deloitte Advisory researchers used a variety of financial modeling, damages quantification, and business and asset valuation techniques to arrive at their estimates. A broad look at the short- and long-term effects of a cyberattack, the report is designed to help business leaders more effectively gauge cyber risks and prepare strategies for addressing them.

“Many business leaders tend to think of the costs of a cyberattack in terms of those commonly associated with data breaches, such as the costs of notifying customers, providing credit monitoring services, or paying regulatory fines and legal fees,” says Emily Mossburg, a principal with Deloitte & Touche LLP and leader of the resilient practice for Deloitte Advisory Cyber Risk Services. “But in many instances, those damages are just the tip of the iceberg and, in some cases, they may not apply at all. Rarely brought into full view are the costs and consequences of other, increasingly common attacks such as IP theft, cyberespionage, data destruction, or business disruption, which are much harder to quantify and can have a more significant impact.”

To illustrate hidden outcomes, the research presents two mock cyberattack scenarios. Each scenario describes a fictitious business, the cyberincident experienced, and the ripple effects from the attack in the subsequent days, months, and years. In one scenario, a foreign nation-state steals a significant portion of a tech company’s IP. The repercussions include a four-month suspension of sales while the company addresses security vulnerabilities in affected products; loss of a major customer contract, which leads to a 5 percent drop in revenue; operational disruption valued at $1.2 billion; and a devaluation of the company’s trade name by over $500 million. Expressed in dollars, the overall impact to the business is more than $3.6 billion.

In the other scenario, cybercriminals steal a laptop from a health insurance provider’s third-party vendor. The theft gives the cybercriminals access to millions of subscribers’ personal records and provides a means to manipulate a patient care application that delivers medical alerts to practitioners. In addition to the short-term disruption to operations and HIPAA fines, the incident results in protracted revenue losses, rounds of litigation, and higher borrowing costs that lead the company to delay a strategic acquisition.

“The scenarios show that cyberattacks can have unexpected consequences, and that the process of recovering from one may play out quite differently from what we see publicly in instances of large-scale consumer data breaches,” says Don Fancher, a principal with Deloitte Advisory and leader of Deloitte Forensics & Investigations. “Recovery can be far more complex, costly, and protracted than many business leaders realize.”

Preparing for the Inevitable

The findings in this report underscore the importance of resilience—an organization’s ability to lessen the impact of a cyberattack by responding rapidly and effectively. The following measures may help improve enterprise resilience:

Convene the right team. Companies can get a firm handle on the cyberthreats to which they are most vulnerable and the specific business risks they pose by bringing together executives from business and technical domains. These teams will likely include leaders who possess deep understanding of business operations, revenue streams, the technology environment, and the organizations’ broader risk profiles.

Identify top risks and assets. Consider this a three-step exercise: Prioritize the core business processes that, if impaired, would significantly disrupt operations. Inventory the technology assets supporting those processes and evaluate their level of vulnerability to attack. Finally, estimate the various costs of an attack on those assets or processes. During this evaluation of risks, don’t focus narrowly on exposure of personally identifiable information; consider other possible attack objectives as well, such as IP theft, data destruction, or interruption of critical business processes.

Re-evaluate spending to decrease business impact. Because budgets will never be big enough to prevent the full range of possible incidents, adopt a risk-focused approach to allocating spending for a secure, vigilant, and resilient program. Use definitions of top risk areas and assets to model the impact of an attack more realistically and determine where and how much to budget. For some companies, this may require greater investment.

Redefine “readiness.” Build incident response plans that facilitate faster and more effective recovery, and broaden these plans to account for a fuller range of possible attack scenarios. Plans built on narrow assumptions about the nature and target of attacks are likely to fall short during a crisis.

*****

The modeling exercises detailed in “Beneath the surface…” show that a cyberattack’s toll can extend for years and encompass a much broader set of repercussions than those commonly revealed in the public domain, according to Hector Calzada, a managing director in Deloitte Advisory’s Business Valuation services. “Without a realistic discussion of business impact, some executives have a hard time discerning which of the many possible cybersecurity investments are most likely to improve their companies’ risk posture,” he says. “By understanding the true exposure a cyberattack may pose to their businesses, executives can begin to invest in a more focused manner.”

As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Related Deloitte Insights

Got coverage? Corporate buyers of cyber insurance hope they do, but the details may not be straightforward. At a recent conference, risk managers and others made it clear that today’s cyber insurance doesn’t always offer the peace of mind they want.

Insecure internet of things devices could contribute to more damaging and more frequent distributed denial-of-service attacks this year, according to Deloitte Global, thanks in part to the fact that their user IDs and passwords are sometimes hardcoded. In the wrong hands, those credentials can be used as part of a botnet to launch a DDoS attack.

Most online interactions today begin with a transaction that’s both a poor user experience and one of the weakest links for corporate security: the password-protected login. Fortunately, new technologies now coming to the fore promise to enable a world with both security and convenience—and no passwords.

Editors Choice

Some companies are using digital technologies to disrupt industries and business models, but that’s not the only way to succeed. Six enablers of digital transformation can help organizations create a competitive advantage and deliver exceptional customer experiences.

The CIO role has evolved to emphasize business acumen, but today, more than ever, organizations need their IT leaders to understand the technologies at the heart of business transformation, says Rent-A-Center CIO Angela Yochem.

Many CIOs and other IT executives have fully embraced flexible consumption, the IT delivery model focused on subscription and pay-as-you-go services; however, they still have work to do to convince their IT staffs of its benefits.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more